[unisog] Anyone doing large scale NAT for their campus?
mitch at ccmr.cornell.edu
Mon Sep 23 16:38:35 GMT 2002
On Mon, 23 Sep 2002, Scott Genung wrote:
> It can be argued that NAT undermines the end-to-end model of the Internet.
> However (my opinion), that is only a religious argument. NAT does not
> really (appear) to impact file sharing applications because translations
> already exist by the time a user is seeking content from a host on your
> network because this host already registered itself with an external
> directory (thereby creating the translation). As long as there is flow from
> the private address source, the translation will remain valid and the
> content of a private address host can be reached from outside your network.
> Again, this can be controlled to a limited degree by how long you allow
> inactive translations to remain cached.
Your argument seems to be based on the specific characteristics of
existing applications. I.e. the private-addressed machine initiated
the connection, so everything will just work. This argument works
fine for applications that fit this model. It breaks down for those
a) Microsoft Netmeeting
b) Sidecar: Sidecar is something developed by a coalition of universities
for enabling kerberos authentication for applications that don't have
already kerberos built-in. The upshot of it is it runs a service on every
user machine on port 913. Put the machine behind a NAT and sidecar doesn't
work and applications that depend on it fail.
There is a great argument to be made that NATs are necessary in the IPv4
world of today. But claiming that they don't break applications and that
end-to-end is just a religious argument is rediculous.
More information about the unisog